Sunday, September 18, 2011

Session Puzzling and Session Race Conditions

A couple of months ago, I published a paper on an under-emphasized application level attack vector nicknamed "Session Puzzling" – an attack pattern that can abuse improper usage of session variables (a.k.a "Session Puzzles") in order to impersonate users, elevate privileges, bypass security restrictions and even execute "traditional" attack vectors against applications, while bypassing any existing security mechanisms by attacking the application using a trusted input source.

Even though the paper was published alongside a training kitthat was meant to demonstrate the various attack vectors (a vulnerable application called "puzzlemall"), the vast majority of responses I got have made me realize that most of the 2000 security professionals that were exposed to this attack did not manage to understand it.

Some of the responses associated the paper to unrelated attacks, some didn't understand the impact or the mechanics, and some responses even claimed that the attacks is too complicated to perform (!?!).

Although I know that the attack is not simple, and that several session puzzling vectors require 10+ requests, I refuse to believe it's that complicated.

Over the last couple of years, I have seen many commercialapplications that were vulnerable to this attack (Oracle E-Business Suite Included), so I'm giving it one more shot before I'll let the attack fall into the "too complicated to explain" category, and keep it all to myself.

The original whitepaper/presentation can be downloaded from the following addresses (contains background, additional attack vectors and mitigations):WhitepaperPresentation

Although the original attack relied on the existence of persistent session values, an extended attack was presented last week (15th of September), in a local OWASP chapter meeting.

The extended method (nicknamed "Temporal Session Race Conditions") enables detecting & exploiting session puzzles even if the session variables have a lifespan of milliseconds (session-level race conditions), by increasing the latency of certain lines of code through the use of layer targeted denial of service attacks.

Additional Resources
An attack similar to session puzzling is mentioned under the name "session poisoning", but the session puzzling/TSRC sequences differ from this attack mainly by the lack of direct input dependency (see the multiphase restriction bypass scenario and the e-business suite exploit for the exception scenario), and expand the attack tool-set in the aspect of methodology, predefined sequences, scope of modules, complementary methods and usage of denial of service for extending the lifespan of temporary session variables.

Still curious about additional uses for the fascinating attack you presented in your latest lecture at the Source conference at Barcelona ("advanced binary planting")...Will let you know if I find anything interesting.

Not in vain at all, Shay-Chen. When most eyes are on XSS, SQLi and CSRF, it's things like this, HTTP parameter pollution and, say, Insecure object mapping (http://carnal0wnage.attackresearch.com/2011/12/insecure-object-mapping.html) that fail to get enough attention and only few care to really think about. Such flaws are my favorite kind though: not really trivial to find but with potentially spectacular impact.